Watch out for Winter Olympics scams and cyberthreats

Major global events like the Winter Olympics consistently attract cybercriminal activity due to their visibility and extensive digital presence. Threat actors have previously exploited the Games through tactics such as fake ticketing sites, malware attacks on official systems, and opportunistic hacktivism. As Milano‑Cortina 2026 unfolds, several common threats are expected.

Phishing attempts

Unsolicited emails, texts, or social media messages impersonating organisers or sponsors may request personal or financial information, or direct victims to malicious links and attachments. Common examples include fake streaming offers, prize draws, or notifications about ticket issues.

Fake Olympic websites

Scammers may create convincing ticketing or travel sites, or post fraudulent listings on legitimate platforms such as Airbnb, eBay, or Facebook Marketplace, with the aim of stealing payment details.

Illegal streaming sites

Websites offering free event streams often host malware in links, downloads, or overlay ads that redirect users to malicious content.

Fake mobile apps

Malicious apps posing as official Olympics applications may deploy info stealing malware, especially when downloaded from third‑party app stores.

SEO poisoning

Scammers may promote malicious sites to the top of search results using paid ads or manipulation techniques.

Support scams

Fraudsters monitor social media and may impersonate official support teams to obtain personal or booking information.

QR code phishing (quishing)

Malicious QR codes placed at events can lead to phishing sites or malware downloads, exploiting users’ lower suspicion of QR‑based interactions.

Public Wi‑Fi risks

Fake or compromised hotspots can capture personal and financial information.

Protect Yourself (and Staff)

To protect yourself from these threats you should look to:

Strengthen Your Technical Defences

• Use reputable antivirus/endpoint security – Real‑time protection blocks malware, malicious websites, and phishing attempts.

• Keep software fully patched – Out‑of‑date systems are a major attack vector.

• Enable account protection features – For example, enforce lockout policies and avoid granting consent to unmanaged app.

Be cautious with Links, QR Codes & Attachments

Many of the threats listed phishing, quishing, fake websites, fake apps rely on tricking users into clicking:

• Don’t click links in unsolicited emails or texts, even if they look official.

• Avoid scanning QR codes in public places unless you trust the source.

• Type official URLs manually for tickets, travel, or live streams rather than following search‑engine results (to avoid SEO‑poisoned sites).

Validate Websites, Apps & Offers

When possible validate the legitimacy of websites, apps & offers

• Only download apps from official app stores (Apple App Store, Google Play, Microsoft Store).

• Check website legitimacy – look for HTTPS, check the URL carefully, avoid sites reached via ads.

• Treat “too good to be true” offers as scams, especially around major events.

Avoid Untrusted Wi‑Fi

Public or spoofed Wi‑Fi hotspots can steal data:

• Use mobile data or a corporate VPN instead.

• Disable auto‑connect to open networks on your phone or laptop.

Maintain Secure Backups

Backups help you to recover if a system becomes compromised.

Train Yourself (and Staff) to Recognise Threats

Human error is one of the biggest cybersecurity risks. Phishing‑simulation training creates a “culture of security awareness”. Awareness training dramatically improves detection of suspicious emails, fake websites, and impersonation scams.

Have an Incident Response Plan

If something does go wrong, knowing what to do limits damage:

Your Incident Response Plan checklist outlines how to prepare, detect, respond, and recover.

If you feel your business has a poor security posture and would like some help improving it then contact us to see how we could help you.